summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* doc: add osf expression to man pageFernando Fernandez Mancera2018-08-041-0/+29
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: py: add test cases for "osf" matchingFernando Fernandez Mancera2018-08-042-0/+10
| | | | | Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce passive OS fingerprint matchingFernando Fernandez Mancera2018-08-049-0/+99
| | | | | | | | | | | | | | Add support for "osf" expression. Example: table ip foo { chain bar { type filter hook input priority 0; policy accept; osf name "Linux" counter packets 3 bytes 132 } } Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: correct some typos in asciidocArushi Singhal2018-08-036-39/+29
| | | | | | | | Correct some typo mistakes done while converting man page source to asciidoc. Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Expose socket mark via socket expressionMáté Eckl2018-08-039-9/+73
| | | | | | | | This can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add tproxy statement to man pageMáté Eckl2018-08-031-0/+58
| | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com>
* tests: py: Add test cases for tproxy supportMáté Eckl2018-08-036-0/+153
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Add tproxy supportMáté Eckl2018-08-038-0/+294
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for transparent proxy functionality which is supported in ip, ip6 and inet tables. The syntax is the following: tproxy [{|ip|ip6}] to {<ip address>|:<port>|<ip address>:<port>} It looks for a socket listening on the specified address or port and assigns it to the matching packet. In an inet table, a packet matches for both families until address is specified. Network protocol family has to be specified **only** in inet tables if address is specified. As transparent proxy support is implemented for sockets with layer 4 information, a transport protocol header criterion has to be set in the same rule. eg. 'meta l4proto tcp' or 'udp dport 4444' Example ruleset: table ip x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to 1.1.1.1 udp dport ssh tproxy to :2222 } } table ip6 x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport ntp tproxy to [dead::beef] udp dport ssh tproxy to :2222 } } table inet x { chain y { type filter hook prerouting priority -150; policy accept; tcp dport 321 tproxy to :ssh tcp dport 99 tproxy ip to 1.1.1.1:999 udp dport 155 tproxy ip6 to [dead::beef]:smux } } Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: statements.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-25/+83
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: stateful-objects.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-2/+7
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: primary-expression.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-3/+13
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: payload-expression.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-3/+21
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: data-types.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-7/+22
| | | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: nft.txt: Wrap extra long lines to 80 charsMáté Eckl2018-08-011-51/+183
| | | | | | | | | | | | | | | When I tried to send a patch that included man page update I got the following error from git send-email: fatal: patch.patch:287: patch contains a line longer than 998 characters Line 287 was a non-modified line so it was there before my patch. Even this patch can only be sent with mutt but not with git send-email. This patch tries to fix this issue by wrapping extra long lines to 80 characters wide. Signed-off-by: Máté Eckl <ecklm94@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: remove nft.xml from CLEANFILESFlorian Westphal2018-07-261-1/+1
| | | | | | | This file doesn't exist. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: doc: Convert man page source to asciidocArushi Singhal2018-07-269-5743/+2435
| | | | | | | This patch converts nft.xml into asciidoc markup. Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: fix a typo in socket.hFernando Fernandez Mancera2018-07-221-3/+1
| | | | | | | Fix a typo in socket_template struct description. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: meta: always prefix 'meta' for almost all tokensFlorian Westphal2018-07-2119-117/+114
| | | | | | | | | | | | | | | | | | got following bug report: nft add ... ct mark set mark and 0x10 ... always sets 0. What reporter meant to write instead was 'ct mark', not 'mark'. We can't just remove support for 'mark' and force 'meta mark', but we can start to discourage it by printing meta prefix too. Later on, we could start to print deprecation warning if needed. Followup patch can also change "iifname" etc. to "meta iifname". Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test case for rename-to-same-nameFlorian Westphal2018-07-182-14/+19
| | | | | | | kernel currently permits chains with same name when a transaction renames 2 chains to the same new name. Add a test case for this. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: shell: validate maximum chain depthPablo Neira Ayuso2018-07-161-0/+22
| | | | | | Original script from Taehee Yoo. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: shell: add tests for listing objectsHarsha Sharma2018-07-162-0/+57
| | | | | | | | Add tests for listing specific object for a given table name and all objects of a table. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: list only the table containing objectHarsha Sharma2018-07-101-7/+5
| | | | | | | | | | | | | | | | | | | For e.g. % nft list ct helper ip raw cthelp1 table ip filter { } table ip raw { ct helper cthelp1 { type "ftp" protocol tcp l3proto ip } } With this patch, print only table raw. Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: check ifname use in concatenated setsFlorian Westphal2018-07-072-0/+12
| | | | | | | | | | | error was: nft create set inet filter keepalived_ranges4 { type inet_service . ifname \; } Error: Empty string is not allowed This was fixed in 6b00b9537e181 ("evaluate: skip evaluation of datatype concatenations"). Signed-off-by: Florian Westphal <fw@strlen.de>
* nft: set: print dynamic flag when setFlorian Westphal2018-07-071-1/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: describe dynamic flag and caveats for packet-path updatesFlorian Westphal2018-07-071-6/+8
| | | | | | | | | | | | | | | This fails: nft add table ip filter nft add chain ip filter input '{' type filter hook input priority 0 ';' '}' nft add set ip filter protocols '{' type inet_proto ';' '}' nft add rule ip filter input iifname lo set add ip protocol @protocols ^^^^^^^^^^^^^^^^^^^ ...as wrong set type gets chosen. Describe dynamic flag and that sets should have both timeout and max size set. Signed-off-by: Florian Westphal <fw@strlen.de>
* evaluate: skip evaluation of datatype concatenationsPablo Neira Ayuso2018-07-071-4/+5
| | | | | | | | | These are not really expressions, so there is not value in place. The expr_evaluate_concat() is called from set_evaluate() to calculate the total length of the tuple. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1265 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: update manpage to document --literal optionPablo Neira Ayuso2018-07-071-4/+8
| | | | | | | | This patch describe the new --literal option. Remove documentation on -N to prepare it for deprecation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add --literal optionPablo Neira Ayuso2018-07-0716-32/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* rule: limit: don't print default burst valueFlorian Westphal2018-07-041-1/+1
| | | | | | | | | | | | limit http-traffic { rate 1/second } gets printed as limit http-traffic { rate 1/second burst 5 packets } caused tests/shell/run-tests.sh tests/shell/testcases/sets/0026named_limit_0 to return 'DUMP FAIL'. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Add socket expression to man pageMáté Eckl2018-07-031-0/+56
| | | | Signed-off-by: Máté Eckl <ecklm94@gmail.com>
* nftables: tests: shell: Replace "%" with "#" or "$"Arushi Singhal2018-07-021-5/+5
| | | | | | | | | | | Shell prompt ends with: "%", indicates a C shell. "$", indicates shell that's compatible with the Bash. "#", indicates shell is running as the system's root. So, "%" is replaced with "$" or "#". Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* netlink_delinearize: Refactor meta_may_dependency_kill()Phil Sutter2018-06-265-40/+259
| | | | | | | | | | | | | | | | The original intent was to fix a bug: The following rule in inet table: | meta nfproto ipv4 icmpv6 type echo-reply Was added correctly but when printing the meta match was falsely removed. The fix is to deny dependency killing if RHS family of nfproto match doesn't match RHS family of l4proto match. Adding this to the already large conditional led to even more unreadable code, therefore this patch tries to clean that up (and also removes the partial code duplication. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* src: trace: fix policy printingFlorian Westphal2018-06-261-1/+30
| | | | | | | | | | | | | | | | | | | | policy type is erronously handled via verdict, this is wrong. It is a different event type and needs to be handled as such. before: trace id 42b54e71 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 42b54e71 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 42b54e71 inet filter input verdict continue trace id 42b54e71 inet filter input after: trace id 9f40c5c7 inet filter input packet: iif "lo" ip saddr 127.0.0.1 .. trace id 9f40c5c7 inet filter input rule ip protocol icmp nftrace set 1 (verdict continue) trace id 9f40c5c7 inet filter input verdict continue trace id 9f40c5c7 inet filter input policy drop Reported-by: vtol@gmx.net Signed-off-by: Florian Westphal <fw@strlen.de>
* tests/py: fix import when run from other directoryEric Leblond2018-06-211-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: minor cleaningEric Leblond2018-06-201-4/+5
| | | | | | | Move import and use explicit parameter in object creation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: fix make distcheckEric Leblond2018-06-201-4/+4
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: set license and author in nftables.pyEric Leblond2018-06-201-0/+16
| | | | | | | | It will be distributed separately so this worth setting things correctly. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* python: installation of binding via make installEric Leblond2018-06-207-1/+87
| | | | | | | | | setup.py is used to build and install the python binding. Call to setup.py are done in Makefile to proceed to build and installation. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: docbook2man invalid syntax errorEric Leblond2018-06-201-6/+3
| | | | | | | | | docbook2man can not be used with the same option so let's remove it from the alternative. Fedora and debian seems to be fine with that. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: remove useless braces in messagesEric Leblond2018-06-201-2/+2
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure.ac: better message when a2x is missingEric Leblond2018-06-201-1/+1
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: Fix typos/Grammatical ErrorsArushi Singhal2018-06-191-4/+4
| | | | | | | | typos/Grammatical errors are corrected. Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Acked-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Florian Westphal <fw@strlen.de>
* Makefile: Introduce Make_global.amPhil Sutter2018-06-182-1/+24
| | | | | | | | | Analogous to libnftnl's build system, define libnftables interface version in a variable in Make_global.am. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: libnftables-json: Review asciidoc syntaxPhil Sutter2018-06-181-184/+142
| | | | | | | | | | | | | | | | | | | | This changes asciidoc markup according to a few best practices recommended in [1] and a quick review of html output: * Use atx-style headings everywhere apart from the document title. This requires to explicitly disable compat-mode after the latter. * Use only the minimum number of dashes for listings. * Enclose verses with empty lines in a verse block instead of having multiple verses for it. * Indent continued lines in synopsis for added readability. [1] https://asciidoctor.org/docs/asciidoc-recommended-practices/ Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* scanner: Do not convert tabs into spacesPhil Sutter2018-06-181-15/+1
| | | | | | | | | | | | | | | | | | | | | Commit 2f86dd5a43baf ("erec: Review erec_print()") changed erec_print() function to expect tabs in input by replacing the whitespace character in the marker line at the same offset with a tab character so that the marker aligns with the offending part of input. The need for that came from JSON input not having its tabs converted to spaces, which erec_print() didn't expect. Above change though has a shortcoming: When reading standard syntax input from a file, Flex code converts tabs into spaces. Location information is taken from this converted input, but when printing an error message, the offending input line is read from the input file directly (which still contains tabs). The solution is to simply drop said tab conversion from scanner.l. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Simplify nft_run_cmd_from_buffer footprintPhil Sutter2018-06-189-21/+20
| | | | | | | | | | | | | | | | | | | | | | | With libnftables documentation being upstream and one confirmed external user (nftlb), time to break the API! First of all, the command buffer passed to nft_run_cmd_from_buffer may (and should) be const. One should consider it a bug if that function ever changed it's content. On the other hand, there is no point in passing the buffer's length as separate argument: NULL bytes are not expected to occur in the input, so it is safe to rely upon strlen(). Also, the actual parsers don't require a buffer length passed to them, either. The only use-case for it is when reallocating the buffer to append a final newline character, there strlen() is perfectly sufficient. Suggested-by: Harald Welte <laforge@gnumonks.org> Cc: Laura Garcia Liebana <nevola@gmail.com> Cc: Eric Leblond <eric@regit.org> Cc: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libnftables: Fix exit_cookie()Phil Sutter2018-06-181-0/+2
| | | | | | | | | | | | | | | | | | The output and error buffer feature depends on cookie->orig_fp to indicate the current status of buffering: If it is set, a prior call to init_cookie() is assumed. Though exit_cookie() missed to reset that pointer to NULL. causing weird behaviour in applications if they do: | nft = nft_ctx_new(0); | nft_ctx_buffer_output(nft); | nft_ctx_unbuffer_output(nft); | nft_ctx_buffer_output(nft); While being at it, apply the same fix to error path in init_cookie() as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: Fix typo in Makefile.amPhil Sutter2018-06-161-1/+1
| | | | | | | | Previous patch adding libnftables man page missed a backslash. Fixes: 3c57ff87b1b2b ("doc: Add libnftables man page") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: Add libnftables man pagePhil Sutter2018-06-153-3/+324
| | | | | | | | For now, use a single man page to describe all the functions exported by libnftables. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dynamic flag and use itPablo Neira Ayuso2018-06-124-4/+7
| | | | | | | We need to signal the kernel to use a set backend that supports dynamic updates. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>